Google Chrome Tabs Let Malware Sneak Into Businesses (6/2/2012) by Ryan Bingell
Summary:
Google recently released a new version of their browser, "Google Chrome." One of the new features in its most recent update allows users to sync browsing information such as settings and browsing history between multiple computers and mobile devices. For example, using the new tab-synchronization feature (called "tab-synch") in Google Chrome, you could look up ingredients for a recipe from a webpage on your phone by synching the Chrome session of your phone with your Chrome session from your home computer. Or, if you used Google Chrome at work to browse the web, you could also synch your personal browsing history and settings from your home computer to your work computer. However, the tab-synchronization features does leave the potential for unwanted vulnerabilities. The most likely vulnerability seems to be a tab-synch between a user's home and work computers. In the event that the user's home workstation has been compromised with malware, it's entirely possible for a virus or malware infected homepage to be synched to the user's work computer, thus infecting their work PC as well. This type of cyberattack would be nearly impossible for a company's IT department to prevent. A less likely attack could be through a tab-synch where a site's malicious JavaScript code is synched from one PC or device to another. This attack has the potential to record a user's browsing history and passwords. Although no incidents have been reported to date, users of Chrome should definately be made aware of the feature's vulnerabilities.
I wouldn't be surprised if Google made adjustments to the tab-synchronization feature of Chrome that "toned down" the items being synched. For example, not synching JavaScript browser add-ons (or "extensions" as called by Google) could prevent malicious code from being transferred between PCs. Another type of control that could perhaps be implemented is could be before synchronization. For instance, maybe before synchronization between machines, Chrome could run a quick search of the newly proposed homepage against a list of web addresses known for malware or viruses. Preventative measures like these could lower the threats of the feature.
Cyber-attack concerns raised over Boeing 787 chip's back-door (6/3/2012) by Ryan Bingell
Summary:
Two Cambridge reserachers have uncovered a hardware back-door access point that appears to have been built-into a critical computer chip used in Boeing's new 787 aircraft. The computer chip,
known as "ProASIC3," is made by US manufacturer Actel, and is also used in consumer products and military equipment as well. The chip plays a significant role in the 787's flight applications. Although the ProASIC3 supposedly has well-designed software security, the discoverers of the back-door expalin that what would allow simple trouble-shooting and testing by Actel designers could also allow individuals with alterior motives to "disable all the security on the chip, reprogram cryptographic and access keys, or permanently damage the device." It was rumored that the back-door had been built-in by a hacker during the chip's manufacture as part of a Chinese cyber-attack, but evidence exists to refute this claim. Perhaps the biggest threat to the 787 aircraft would be if the chip was connected to the Internet. According to the article, the researchers claim an internet connection could easily be established by connecting the chip to an internet-enabled controller. An internet connection established to the chip has the potential spell a disaster similar to opening Pandora's box. As of the article's date (May 29, 2012), no acknowledgements or announcements regarding the design flaw have been made by Actel. The disoverers of the vulnerability claim to have also informed the appropriate government agencies.
It is unfortunate and disappointing that such critical computer hardware has such a major design flaw. However, what the article fails to mention (and maybe because it's due to Boeing's security concerns), is a description of the physical location of the chip in the aircraft as well as its physical protection. While the manufactuer may have needed the built-in back-door feature for testing, perhaps the condition of the chip installed inside the aircraft acceptable as long as it's under extremely tight physical controls (ie, tucked away from plain view, extremely inaccessible as well as under lock-and-key). Another thought I have is in regards to the security of the back-door. Is it possible that Actel could redesign the back-door to at least incorporate some added security or redesign the chip to remove the hardware back-door all together now that testing has been completed?
50/50
Google Chrome Tabs Let Malware Sneak Into Businesses (6/2/2012) by Ryan Bingell
Summary:
Google recently released a new version of their browser, "Google Chrome." One of the new features in its most recent update allows users to sync browsing information such as settings and browsing history between multiple computers and mobile devices. For example, using the new tab-synchronization feature (called "tab-synch") in Google Chrome, you could look up ingredients for a recipe from a webpage on your phone by synching the Chrome session of your phone with your Chrome session from your home computer. Or, if you used Google Chrome at work to browse the web, you could also synch your personal browsing history and settings from your home computer to your work computer. However, the tab-synchronization features does leave the potential for unwanted vulnerabilities. The most likely vulnerability seems to be a tab-synch between a user's home and work computers. In the event that the user's home workstation has been compromised with malware, it's entirely possible for a virus or malware infected homepage to be synched to the user's work computer, thus infecting their work PC as well. This type of cyberattack would be nearly impossible for a company's IT department to prevent. A less likely attack could be through a tab-synch where a site's malicious JavaScript code is synched from one PC or device to another. This attack has the potential to record a user's browsing history and passwords. Although no incidents have been reported to date, users of Chrome should definately be made aware of the feature's vulnerabilities.
I wouldn't be surprised if Google made adjustments to the tab-synchronization feature of Chrome that "toned down" the items being synched. For example, not synching JavaScript browser add-ons (or "extensions" as called by Google) could prevent malicious code from being transferred between PCs. Another type of control that could perhaps be implemented is could be before synchronization. For instance, maybe before synchronization between machines, Chrome could run a quick search of the newly proposed homepage against a list of web addresses known for malware or viruses. Preventative measures like these could lower the threats of the feature.
Cyber-attack concerns raised over Boeing 787 chip's back-door (6/3/2012) by Ryan Bingell
Summary:
Two Cambridge reserachers have uncovered a hardware back-door access point that appears to have been built-into a critical computer chip used in Boeing's new 787 aircraft. The computer chip,
known as "ProASIC3," is made by US manufacturer Actel, and is also used in consumer products and military equipment as well. The chip plays a significant role in the 787's flight applications. Although the ProASIC3 supposedly has well-designed software security, the discoverers of the back-door expalin that what would allow simple trouble-shooting and testing by Actel designers could also allow individuals with alterior motives to "disable all the security on the chip, reprogram cryptographic and access keys, or permanently damage the device." It was rumored that the back-door had been built-in by a hacker during the chip's manufacture as part of a Chinese cyber-attack, but evidence exists to refute this claim. Perhaps the biggest threat to the 787 aircraft would be if the chip was connected to the Internet. According to the article, the researchers claim an internet connection could easily be established by connecting the chip to an internet-enabled controller. An internet connection established to the chip has the potential spell a disaster similar to opening Pandora's box. As of the article's date (May 29, 2012), no acknowledgements or announcements regarding the design flaw have been made by Actel. The disoverers of the vulnerability claim to have also informed the appropriate government agencies.
It is unfortunate and disappointing that such critical computer hardware has such a major design flaw. However, what the article fails to mention (and maybe because it's due to Boeing's security concerns), is a description of the physical location of the chip in the aircraft as well as its physical protection. While the manufactuer may have needed the built-in back-door feature for testing, perhaps the condition of the chip installed inside the aircraft acceptable as long as it's under extremely tight physical controls (ie, tucked away from plain view, extremely inaccessible as well as under lock-and-key). Another thought I have is in regards to the security of the back-door. Is it possible that Actel could redesign the back-door to at least incorporate some added security or redesign the chip to remove the hardware back-door all together now that testing has been completed?
50/50